I was recently asked to transition our server's self-signed certificates used by RDP from sha1 to sha2. Easy I thought, I'll use the cmdlet New-SelfSignedCertificate to create the certificate and WMI to apply it. Nope, the New-SelfSignedCertificate cmdlet is not available in Server 2008r2. That said, I had to come up with another way. Queue, makecert.exe. Makecert.exe is included in many of the Window SDKs. However, the version needed to create certificates with sha256 is 6.3.9600.17298. I was able to find this in the Windows Software Development Kit (SDK) for Windows 8.1. You can google and download the SDK or use the one I have linked below (assuming you trust me).
Directly below is the launched script provided with three parameters to set the validity period of the cert as well as the domain name of the server and to show verbose output. Notice makecert.exe is in the same directory as the script, this is required.
The script for the most part is fairly proofed:
- if makecert is missing it will tell you
- if multiple sha256 self-signed certs are present in the local store it will tell you
- if a sha256 self-signed cert does not exist in the personal store it will tell you
- if the newly created sha256 self-signed cert has been incorrectly applied to RDP it will tell you
As with all PowerShell scripts that run .exe's with parameters, it's not easy. So don't judge when you see how I did it :).
Below is an image of warning you get when connecting to a server using a self-signed certificate. Looking past that we can see that RDP is now using sha256. Super.
As always, Get-Help is your friend.